copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0227 - [Win][UNIX/Linux][Debian] postgresql-8.4: Multiple vulnerabilities

Date: 28 February 2012
References: ESB-2012.0487  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0227
                      postgresql-8.4 security update
                             28 February 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           postgresql-8.4
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Increased Privileges            -- Existing Account      
                   Unauthorised Access             -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0868 CVE-2012-0867 CVE-2012-0866

Original Bulletin: 
   http://www.debian.org/security/2012/dsa-2418

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running postgresql-8.4 check for an updated version of the software
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2418-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
February 27, 2012                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : postgresql-8.4
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-0866 CVE-2012-0867 CVE-2012-0868

Several local vulnerabilities have been discovered in PostgreSQL, an 
object-relational SQL database. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2012-0866

   It was discovered that the permissions of a function called by a 
   trigger are not checked. This could result in privilege escalation.

CVE-2012-0867

   It was discovered that only the first 32 characters of a host name 
   are checked when validating host names through SSL certificates. 
   This could result in spoofing the connection in limited 
   circumstances.

CVE-2012-0868

   It was discovered that pg_dump did not sanitise object names.
   This could result in arbitrary SQL command execution if a
   malformed dump file is opened.   

For the stable distribution (squeeze), this problem has been fixed in
version 8.4.11-0squeeze1. 

For the unstable distribution (sid), this problem has been fixed in
version 8.4.11-1.

We recommend that you upgrade your postgresql-8.4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk9LwJ4ACgkQXm3vHE4uyloAzgCfY91eNaRw1c0BbV5h+nDyPCid
RMkAnj9R/A/5oW22U9vRx97RHkd8yDc2
=T+uw
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT0wzX+4yVqjM2NGpAQIJ8xAAnBcelSwVUZWoD+ZMXgpN307goVaoflAN
f/SdOWQe00o7JpaXuyLq+hV0prw8qr8uEjYw+G1wXWgwTXmBvX/G6Nl0X6cie9YR
fAw96gpAjnEldeoNbABadbishneM/0ISwyyUG6nWCymBhvo3YhQjqu5SLnShJhGI
K860KKUfFup2aLWFVX1ziqP1/F2vVBSVC4nonDV88BvbLWUh5lZz3H38usErR3li
WLCc9OPP8dxisGKshLft44dlsFPORA2HXc3uvi55EQFlHQammFevI2Uy91E1CyAt
gwt8rlwkpQJQ6d9zwMP78nE5D06Kci+U3/f0KuKV4zyJ4rnofLQo0uQJpg3ahEHv
RCx442pLVPO/jKyuhV76vVERBJSnn4+UtqCP/dDKHuDnGmg8TAnbx5haY0zKc9Q+
XDwR30F3lLmK3E6gD6vN1RqhTbH6rvRNSK/0pP52ac0D2/7wbzK5c+K8lsGhwecx
vAQGIU40l4R9d0R0coofDLxsSAzbEVCLDFaSHnoC4KqKlOuBkPq4euxgoytU70qc
kxyEn2Z8dJg3+LGnPFwmtQLecHOMyc1FvBj8bQH2TIBlCpTGXkEg+VJ5BFwcKu7O
4cQmlJgGLZYLVwqxAc6ne+SszUGe4IflGpNR2oKZD2Y8VhG0hR6nQE3YTf4p+NBC
+FizeGDJo4M=
=vlOH
-----END PGP SIGNATURE-----